Overview

overview

10

Static

static

3

45de59851d...9f.exe

windows7-x64

10

45de59851d...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    26s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe

  • Size

    66KB

  • MD5

    87d6d2488b1260e70f4042bf1f292529

  • SHA1

    161f9a79f8197c9b5de1beb7bd4d425d5c23b45b

  • SHA256

    45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f

  • SHA512

    a9d3930de1ff5849e61d1807c6de4b063790dc03f7e4f3f2101cbddde55002ffcc85d2ff433b753a5936403feedbc93c0f3658ffb5e8051d00ba58641e6afda7

  • SSDEEP

    1536:/NeRBl5PT/rx1mzwRMSTdLpJy/jIlkugRGVy/SR1qo+tEgfNni:/QRrmzwR5JysFV12i

Score
10/10
phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
    "C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
      "C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"
      2⤵
        PID:5032
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3256
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3300
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4412
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4752
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:4764
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4324
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2328
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4384
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2368
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:452

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        4
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[3D0423E5-3483].[[email protected]].8base
          Filesize

          3.6MB

          MD5

          55e476fd5f7520130c6c8b6778e6e4f8

          SHA1

          7e6455adb884a1e2353f0aa33f710ed11eaf67d0

          SHA256

          672fb72c0b9344052cc5cab0436a78b12fdf93f0b1121b8dbbf2e1e7fa7cbcf0

          SHA512

          6b49233bbf4dbb46abcade2aea7ba6a3ccb2caa5b1317dd182043ab653d43d211ba54ba96ae0ab6eddd359d85f45c4ac2c0180ae23119f6853ff8c5f378a95f1

          Download Submit